> For the complete documentation index, see [llms.txt](https://ben-hurs-organization.gitbook.io/guia-de-appsec/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ben-hurs-organization.gitbook.io/guia-de-appsec/cheat-sheets/docker.md). # Docker ## Guia Rápido Aqui estão os top 3 cuidados ao criar seu container: ### 1. Não execute seu container como Root Defina um usuário para a execução do seu programa. ```docker FROM alpine:3.12 RUN groupadd -r myuser && useradd -r -g myuser myuser USER myuser ``` Você também pode optar por executar o container no modo [rootless](https://docs.docker.com/engine/security/rootless/). ### 2. Escolha uma imagem oficial e use com a tag específica Estamos (mal)acostumados a usar o bom e velho `myimage:latest`, porém podemos ter algumas surpresas desagradáveis caso alguma destas imagens seja atualizada e quebre nosso código. Então utilize apenas imagens oficiais com a tag bem definida: ```docker # 🚫 FROM alpine # ✅ FROM alpine:3.12 ``` ### 3. Execute um scan de vulnerabilidades Sempre que for realizar o build de sua imagem, execute um scan para verificar se não existem vulnerabilidades preocupantes nele (foco principal nas **HIGH** e **CRITICAL**). Uma das opções é utilizar o [Trivy](https://aquasecurity.github.io/trivy/v0.32/getting-started/quickstart/). {% embed url="" %} ## Links Úteis ### Artigos * [Oficial - Docker security](https://docs.docker.com/engine/security/) * [OWASP - Docker Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html) * [Aqua - Top 20 Docker Security Best Practices: Ultimate Guide](https://blog.aquasec.com/docker-security-best-practices) * [Snyk - 10 best practices to build a Java container with Docker](https://snyk.io/blog/best-practices-to-build-java-containers-with-docker) * [ReynardSec - Docker Security – Step-by-Step Hardening (Docker Hardening)](https://reynardsec.com/en/docker-platform-security-step-by-step-hardening/) ### Vídeos * [HackerSploit - Docker Security Essentials | How To Secure Docker Containers](https://www.youtube.com/watch?v=KINjI1tlo2w) * [TechWorld with Nana - Top 8 Docker Best Practices for using Docker in Production](https://www.youtube.com/watch?v=8vXoMqWgbQQ) ### Labs / Tutoriais / Cursos * [TryHackMe - DEEPCE](https://tryhackme.com/room/deepce) (precisa estar logado no THM) * [Play With Docker](https://www.docker.com/play-with-docker/): tutoriais, labs hands-on e treinamentos para aprender docker. * [FreeCodeCamp :: Docker Containers and Kubernetes Fundamentals – Full Hands-On Course](https://www.youtube.com/watch?v=kTp5xUtcalw) ### Tools * [DEEPCE - Docker Enumeration, Escalation of Privileges and Container Escapes](https://github.com/stealthcopter/deepce) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://ben-hurs-organization.gitbook.io/guia-de-appsec/cheat-sheets/docker.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.